Regulatory compliance is the process of ensuring that organizations are aware of, follow and conform with certain laws, regulations and rules (e.g. policies, standards, guidelines, code of conduct, requirements, specifications etc.), those rules can be internal and made by the organization itself, or enforced by external bodies or factors such as governments, legislators, regulators, market, industry, environment, etc.
Thus, organizations are required to identify and comprehend the applicable regulations to comply with, and the risks associated to these requirements which varies by nature (i.e. public, private, non-profit), size and type of industry it which it operate.
Compliance landscapeThere are numerous regulations out there, some of them are generic and others apply to specific industries (i.e. banking, retail, manufacturing, healthcare). The intent of most of these regulations is protecting the confidentiality, integrity and availability of information that effects the organizations' stakeholders (e.g. regulators, owners, employees, suppliers, customers, partners, etc.) as well as protecting intellectual properties, fighting fraudulent activities such as corruption, bribery and money laundering. Below a list of some broadly applicable laws and regulations
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Information Security Management Act (FISMA)
- Sarbanes-Oxley Act (SOX)
- European Union Data Protection Directive (EUDPD)
- Gramm-Leach-Bliley Act (GLBA)
- Children's Internet Protection Act (CIPA).
Compliance challengesOrganizations are adopting new business models (e.g. IoT, BYOD, social media, big data and cloud computing, etc.), these models changed the business landscape and represented real challenges for organizations to acquire, embrace and comply in the same time with regulations which are increasingly out of date and have not kept pace with these recent technology trends.
In addition to the necessity of investing and allocating significant resources (e.g. talent, budget, training, tools) for compliance related activities; organizations face several challenges in understanding and conforming to regulations which are most likely generic, hard to interpret, and sometimes contradict with each other. This is without mentioning the challenges for international organizations in complying simultaneously to various regional and local regulations which differ from one country to another.
Regulatory compliance enforces organizations to apply a wide range of practices while addressing compliance issues such as introducing transparency, protecting sensitive data, retaining records, providing detailed reporting, employee training and awareness, assessing and treating risks, establishing, implementing and measuring controls, monitoring activities, enhancing communications and ensuring continual improvements.
Compliance risk management is part of the GRC umbrella (Governance, Risk management and Compliance) which overlaps in various business disciplines such as incident management, internal auditing, risk assessment, and compliance with regulations.
Compliance is also about providing and reporting back to regulators - in a timely manner - that relevant requirements are effectively in place and operational, as failing to do so considered a non-compliance which exposes the organization to a compliance risk by triggering fines and losses.
Nevertheless, exceptions can be made when organizations decide not to obey nor comply to certain requirements and agree to pay relevant fines, such decision can be taken to avoid implementing ineffective or costly controls which outrun organizations' capacity and hold them from creating value and achieving their strategic objectives, such decision generates a non-compliance and requires top management recognition and approval with appropriate justification and documentation.
Compliance benifitsOn top of the implicit challenges in conforming to regulations; compliance brings several underlining opportunities to improve organizations, create value to stakeholders while assuring compliance and gain competitive advantages by adopting best practices, better restructuring, embracing ethics and culture, training employees, increasing performance, improving measurements, managing risks, enforcing controls, prioritizing tasks, enhancing quality, optimizing resources and omitting ineffective practices.
Below some known frameworks, standards and best practices that help organizations in complying with mandatory regulations
- Control Objectives for Information and related Technology (COBIT)
- Information security management system – ISMS (ISO/IEC 27000 series)
- National Institute of Standards and Technology Special publications (NIST SP 800 series)
- Committee of Sponsoring Organizations of the Treadway Commission (COSO)
- Information Technology Infrastructure Library (ITIL)
- The FFIEC Information Technology Examination Handbook series
- Basel III, etc.
International organizations which are subject to multiple national regulations should develop holistic approaches in response to the commonly and mandatory regulations in addition to particular supplements (e.g. on country-to-country basis) suitable to address regional specifics and local issues.
ConclusionOrganizations should be aware and willing to comply to relevant regulations and adopt suitable practices in order to maintain associated risks, ensure sustainability, improve their lines of defense, gain value and competitive edge while addressing regulatory compliance.
While regulations continuously emerge and try to adapt and keep up with changing business landscape requirements, it is essential for organizations to embrace the culture of compliance. Internal auditors and risk managers should be familiar with the compliance universe and the culture of their organizations and assist them in providing assurance to mitigate compliance risks.